Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16242

Package keys are being verified despite check_gpg=False in source

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-9.4
    • None
    • osbuild-composer
    • None
    • ZStream
    • sst_image_builder
    • ssg_front_door
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Approved Blocker

      After upgrading MicroShift's CI host to 9.3 beta I started to notice significant amount of "Signature check failed" failure (I checked last 2 weeks on 9.2 and this didn't happen once).
      Failure happens for packages from sources pointing to mirror.openshift.com even though they have check_gpg=false (though it can be seen later that value for the RPM is true).

      Log from our CI: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_microshift/2503/pull-ci-openshift-microshift-main-microshift-metal-tests/1716769592161865728/artifacts/microshift-metal-tests/openshift-microshift-infra-iso-build/build-log.txt

      + echo 'Package source: microshift-crel'
      Package source: microshift-crel
      + sudo composer-cli sources info microshift-crel
      + sed -e 's/gpgkeys.*/gpgkeys = .../g'
      check_gpg = false
      check_repogpg = false
      check_ssl = true
      id = "microshift-crel"
      name = "Repository with already existing RPMs for current release"
      rhsm = false
      system = false
      type = "yum-baseurl"
      url = "https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp-dev-preview/latest-4.15/el9/os"
      

      and later

                          {
                              "arch": "x86_64",
                              "check_gpg": true,
                              "checksum": "sha256:ade4bc2aa31c295442b6cf6acd0ddcde8461cb7fe3a230ae86f20265b8a9b6b7",
                              "epoch": 0,
                              "name": "microshift",
                              "release": "202310230745.p0.g85bcc47.assembly.ec.1.el9",
                              "remote_location": "https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp-dev-preview/latest-4.15/el9/os/Packages/microshift-4.15.0~ec.1-202310230745.p0.g85bcc47.assembly.ec.1.el9__x86_64/microshift-4.15.0~ec.1-202310230745.p0.g85bcc47.assembly.ec.1.el9.x86_64.rpm",
                              "version": "4.15.0~ec.1"
                          },
      

      Slack convo with Achilleas: https://redhat-internal.slack.com/archives/C03DP9PABNC/p1698148519266669

            brlane@redhat.com Brian Lane
            pmatusza@redhat.com Patryk Matuszak
            Osbuilders Bot Account Osbuilders Bot Account
            Release Test Team Release Test Team
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: